ISBN: 0-471-41405 -0
Download (direct link):
Security Protocols and Their Wireless Usage
Developers are most likely to get involved with the following protocols when working with wireless applications.
Wireless Transport Layer Security (WTLS). WTLS is part of the WAP stack and enables the use of certificates, as we described in Chapter 7, ‘‘The Wireless Application Protocol (WAP).” WTLS is an enhanced version of TLS
VPN Client GPRS/3G network Corporate network
Figure 12.3 GPRS VPN access.
(although they are largely the same), formerly known as the Secure Sockets Layer (SSL), which might be used by some devices that lack WAP support (mainly more powerful devices such as laptop computers).
IPsec. IPsec enables IP layer security for a variety of bearers, including connectionless ones. IPsec includes encryption and other cryptography features. The standardization of IPsec was finalized in 1999, and deployment then started. General Packet Radio Services (GPRS), for instance, includes support for IPsec, which is especially useful when the backbone is shared between several operators and when you are using Virtual Private Network (VPN) applications. A VPN application enables corporate users to access internal information even when it is not within the physical location of the company. People generally view this functionality as one of the more obvious successful applications, where GPRS-enabled laptops (via a PC card or a Bluetooth-enabled GPRS phone) are always connected to the corporate intranet and e-mail systems (see Figure 12.3).
In Figure 12.3, the GPRS-enabled laptop connects directly to the corporate intranet, which assigns an IP address. The RADIUS server authenticates the user and gives him or her access to corporate resources. You can also use other solutions where DHCP is used for IP address assignment and RADIUS only authenticates the user.
In addition, there is a wide range of proprietary security solutions that solve specific problems.
Although mobile Internet networks are generally much more secure than their wired counterparts, there are still some issues that you need to consider. Most
of these issues are fairly easy to handle once they are known and considered. The first one involves the protocol translation in the WAP gateway, and the second involves Bluetooth’s lack of user-level security.
WAP Security Issues
If we recall the description of the Wireless Access Protocol (WAP) gateway in Chapter 7, we remember the way that protocols are converted within the WAP gateway (as seen in Figure 12.4).
The WAP gateway converts the TCP/IP protocols into WAP protocols, which includes a translation of the security features. We use Transport Layer Security (TLS) between the WAP gateway and the content server, and Wireless Transport Layer Security (WTLS) between the WAP gateway and the WAP mobile device. Right when we make this conversion, we even have to encrypt data for a brief period of time during the translation. People have voiced their concerns over this security procedure, because someone could potentially hack the WAP gateway and gain access to this information. WAP gateway manufacturers have been very active with designing the gateway in such ways to minimize this risk. These efforts include doing both decryption and encryption in the same
Content unprotected for a brief moment
r“*' Encoding ' 1 T Conversion Caching y
WDP UDP VYLjr /|p TCP/IP
Figure 12.4 WAP gateway anatomy with a security flaw.
process internally, thus not storing the unprotected data in persistent memory and minimizing the time that the data is unprotected. Therefore, this issue comes down to whether the application developer trusts the mobile operator (or whoever owns the WAP gateway) and how much control the user wants to have over it.
Despite the precautions and trust issues of mobile operators, some applications developers who use applications that have high security requirements are solving this problem by hosting the application themselves. Examples include mobile banking, mobile brokerage accounts, and mobile commerce (m-commerce) sites. Those who decide to take this step need to be aware of some of the consequences, however:
You need to work on maintaining the WAP gateway. This node is not a simple PC that any information technology (IT) personnel know how to configure and run.
Some WAP handsets only enable the configuration of a single WAP gateway. In other words, the handset needs to be reconfigured when changing to your application and its WAP gateway. Some handsets enable users to define profiles that they can switch between. You must weigh in this added complexity.
The WAP gateway costs money and probably needs to be upgraded when new releases of the standard arrive.
The advantages include the security options that we discussed previously but also full control of all other features of the gateway. The application owner does not have to rely on great availability from the operator but can be in 100 percent control himself or herself. As WAP usage increases, the private gateway is only affected by the traffic of this dedicated application(s). Those who provide mission-critical applications are obviously reluctant to have WAP gateway performance depending on other’s applications and might prefer obtaining a private gateway.